免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1237 | 回复: 0

Security Update 2012-08-17 released [复制链接]

论坛徽章:
59
2015七夕节徽章
日期:2015-08-24 11:17:25ChinaUnix专家徽章
日期:2015-07-20 09:19:30每周论坛发贴之星
日期:2015-07-20 09:19:42ChinaUnix元老
日期:2015-07-20 11:04:38荣誉版主
日期:2015-07-20 11:05:19巳蛇
日期:2015-07-20 11:05:26CU十二周年纪念徽章
日期:2015-07-20 11:05:27IT运维版块每日发帖之星
日期:2015-07-20 11:05:34操作系统版块每日发帖之星
日期:2015-07-20 11:05:36程序设计版块每日发帖之星
日期:2015-07-20 11:05:40数据库技术版块每日发帖之星
日期:2015-07-20 11:05:432015年辞旧岁徽章
日期:2015-07-20 11:05:44
发表于 2012-08-26 21:39 |显示全部楼层
Security Update 2012-08-17 releasedPosted on 2012-08-17
The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity.
This security release fixes a vulnerability in the built-in XML functionality, and a vulnerability in the XSLT functionality supplied by the optional XML2 extension. Both vulnerabilities allow reading of arbitrary files by any authenticated database user, and the XSLT vulnerability allows writing files as well. The fixes cause limited backwards compatibility issues. These issues correspond to the following two vulnerabilities:
This release also contains several fixes to version 9.1, and a smaller number of fixes to older versions, including:
  • Updates and corrections to time zone data
  • Multiple documentation updates and corrections
  • Add limit on max_wal_senders
  • Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX.
  • Correct behavior of unicode conversions for PL/Python
  • Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
  • Fix syslogger so that log_truncate_on_rotation works in the first rotation.
  • Only allow autovacuum to be auto-canceled by a directly blocked process.
  • Improve fsync request queue operation
  • Prevent corner-case core dump in rfree().
  • Fix Walsender so that it responds correctly to timeouts and deadlocks
  • Several PL/Perl fixes for encoding-related issues
  • Make selectivity operators use the correct collation
  • Prevent unsuitable slaves from being selected for synchronous replication
  • Make REASSIGN OWNED work on extensions as well
  • Fix race condition with ENUM comparisons
  • Make NOTIFY cope with out-of-disk-space
  • Fix memory leak in ARRAY subselect queries
  • Reduce data loss at replication failover
  • Fix behavior of subtransactions with Hot Standby
Users who are relying on the built-in XML functionality to validate external DTDs will need to implement a workaround, as this security patch disables that functionality. Users who are using xslt_process() to fetch documents or stylesheets from external URLs will no longer be able to do so. The PostgreSQL project regrets the need to disable both of these features in order to maintain our security standards. These security issues with XML are substantially similar to issues patched recently by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057) projects.
As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted.
All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.
Download new versions now at the main download page.


您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP